HPE Community
Operating System - HP-UX
1832611 Members
2540 Online
110043 Solutions
New Discussion

Re: Locking out root account - ramifications?

 
Mike Smith_33
Super Advisor

‎07-25-2006 09:15 AM

‎07-25-2006 09:15 AM

Locking out root account - ramifications?

I have been flagged by the Sox auditors for logging directly into the root account. It has been "recommended" that I lock the root account down, create a personal account, and use the personal account to su to root when I need to privileged work. (I am the system admin so my entire job would be privileged work.)

I considered locking the root account to only allow console access but I have an ilo board so I can access it from just about anywhere which would sort of defeat the lock it down purpose.

What are some of the dangers/drawbacks to completely locking off access to the root account except through su?

P.S. Thanks in advance for responses.
0 Kudos
7 REPLIES 7
Patrick Wallek
Honored Contributor

‎07-25-2006 09:30 AM

‎07-25-2006 09:30 AM

Re: Locking out root account - ramifications?

I have ALL servers set up such that root can only login directly from teh console.

In fact I am thinking of making it so no one can log in as root directly and just using sudo to do administrative work.

From my perspective, there are no drawbacks. If you have sudo set up appropriately you will still have all the access you need and never need to actually log in as root.

The security aspect is the big draw. If no one knows the root password, and it is complex enough that it would be difficult to guess, then root has a much smaller chance of being compromised.
0 Kudos
Steven E. Protter
Exalted Contributor

‎07-25-2006 09:33 AM

‎07-25-2006 09:33 AM

Re: Locking out root account - ramifications?

Shalom,

The implications of this are an improvement in security. This is an approach recommended by HP in its own security courses. There are no dangers in doing this so long as console access is permitted.

I recommend that lan consoles be used so the console can be accessed remotely and people don't have to drive to work to gain emergency access to systems.

I can see no dangers so long as the root password is known to those that need to know it and the console password is not easily guessable.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Mike Smith_33
Super Advisor

‎07-25-2006 09:45 AM

‎07-25-2006 09:45 AM

Re: Locking out root account - ramifications?

Thanks for the quick responses. I will give the topic overnight access before assigning points and closing.

One quick question, in my opinion, locking down root except for console, if you split the hairs, is more secure, yet as long as the console is still available, (which, since i have ilo card, it is just a telnet away) the issue can't be completely resolved. Irrespective of the complexity of the password to the console.

Am I missing something?
0 Kudos
Patrick Wallek
Honored Contributor

‎07-25-2006 09:55 AM

‎07-25-2006 09:55 AM

Re: Locking out root account - ramifications?

Yes, there is still the issue with the ILO cards, web consoles, etc. BUT the thing with those is that you have to log into those separately BEFORE you actually have console access.

You are correct to be concerned, but also there is just so much that one can do.
0 Kudos
Rick Garland
Honored Contributor

‎07-25-2006 10:09 AM

‎07-25-2006 10:09 AM

Re: Locking out root account - ramifications?

You must have a leat 1 place you can log in as root. This is the console.

Do not lock out the root entirely, leave the console
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎07-25-2006 03:33 PM

‎07-25-2006 03:33 PM

Re: Locking out root account - ramifications?

I am leaning towards locking the root account completely and using sudo. Sudo does allow a regular user to become a super-user even if the account is locked -- something that su does not allow. Another thing to take into account is the possibility of some deliberately attempting to login to a known account 'root' too many times so that the account is locked. In that case, console login of root is allowed but sudo means that you can do it remotely. Moreover, sudo allows leaves a log. I am not a big fan of Web consoles or ilo boards or the like for machines that require high security. A reasonable approach is to only allow root login from a hard-wired device but a locked root account with sudo access really addresses the problem well.
If it ain't broke, I can fix that.
0 Kudos
Mike Smith_33
Super Advisor

‎07-26-2006 01:13 AM

‎07-26-2006 01:13 AM

Re: Locking out root account - ramifications?

Based on the responses, I have a much better understanding of the issues.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.